Feature Comparison

The following table summarizes the advantages offered by Samsung Knox devices over non-Samsung devices, and Knox Platform for Enterprise (KPE) over Android Enterprise (AE). KPE Standard adds security claims and abilities on top of AE. KPE Premium provides even more powerful features for enterprise deployments. For more information, see the Knox Platform for Enterprise home page.

Feature AE on non-Samsung devices KPE Standard on Samsung devices KPE Premium on Samsung devices Advantages of KPE over AE
All Android Enterprise Features KPE incorporates AE. Using AE on Samsung devices even comes with improved security and manageability controls.
Hardware-Backed Keystore ? This feature is a hardware-dependent claim. While AE mandates the use of a hardware-backed keystore since Android 7, the device manufacturer must ultimately implement it, and not everyone does so. With Samsung, all Knox devices have keystores backed by hardware protections.
Secure Lockdown on Tampering
Upon detecting critical security compromises, the system locks down sensitive areas, preventing unauthorized enterprise data access and leakage. Samsung prevents whole components from running when there is evidence of device tampering. AE limits claims to preventing access to previously installed keys.
Remote Device Health Get visibility into which devices have security issues like unauthorized firmware, allowing you to take action right away. AE provides software-based SafetyNet APIs while KPE provides reliable hardware-based device attestation checks. AE does not have a device-unique signing key, which exposes devices to ID spoofing.
Audit Log Provides comprehensive device audit logs for troubleshooting and satisfying government compliance requirements.
Keystore Support of eSE & Other High-Security Storage

AE will support eSE in Android P. KPE already supports eSE in addition to third-party secure storage options using vendor plugins. Through the UCM framework, app changes are not required.

Note — eSE is not available with these country-carriers: USA - Verizon, Korea - All, Japan- All, Canada - Telus.

Real-Time Kernel Protection (RKP)   Drastically limits possible attacks on Samsung devices with best-in-class kernel attack prevention features including kernel code, kernel data, and kernel control flow protections.
Sensitive Data Protection (SDP)  

With basic AE, device data is decrypted once the device boots. With KPE's SDP, select files remain encrypted at runtime and are decrypted only after device users authenticate themselves at the device lockscreen or Work container login. KPE ejects decryption keys when the device or Work containerlocks, and complies with MDFPP requirements for US government and military.

Enforced Two-Factor
    Enables IT admins to force end-user two-factor authentication for logging in to a Work container or Managed Device. Authentication can be through biometrics (fingerprint, iris, face) or more traditional means (password, PIN, pattern).
Government-Grade Common
Criteria Mode
    Simplifies configuring devices into a compliant state for Common Criteria (defense) deployments.
App Isolation Groups
    Unlike classic app containers with a GUI, you can manage "invisible" app isolation groups to protect a set of apps from any other set. Up to 300 groupings are possible.
Secure Certificate Enrollment Agents (SCEP, CMP, CMC_EST protocols)     Samsung provides a free set of certificate enrollment agents that follow the latest security protocols. There is no reason to enroll certificates insecurely, or implement your own protocols.
Manage Device Software Updates Samsung E-FOTA license enables controlled rollout of firmware updates after internal testing, which avoids compatibility problems with proprietary systems or apps and minimizes user interaction for updates. KPE provides granular firmware controls that AE doesn't have. For example, set the highest accepted firmware version, apply a specific firmware version to a set of devices at a specific date/time, or block all automatic firmware updates.
Remote Control When enabled using device policy settings, this feature allows IT admins to control employee devices remotely to troubleshoot & fix mobile devices in the field. AE does not support injecting events to control the device remotely, it only supports viewing the device screen remotely.
Customization Allows IT to customize various aspects of the device software and UI. In addition to what is available in AE, KPE provides additional abilities. KPE Standard offers the ability to enable and disable task manager, hardware keys, multi-window mode, and more. KPE Premium offers the ability to customize boot banner and animation, block specific system notifications, customize items appearing on power off dialog screen, map volume keys to app task switching, and more.
Granular Roaming Controls IT can allow and disallow the use of roaming mobile connections that often incur high call, text, and data rates. AE only allows IT admins to disable mobile data. It doesn't allow IT admins to block calls or app update downloads while allowing other data use. KPE Premium also enables separate roaming controls for each APN to cover split billing.
Admin Device Lock Allows IT to lock out all use of a device, including preventing access with valid credentials. This functionality is valuable for handling end-user policy violations, including travel to hostile countries.
Data Sharing Policy AE provides search-for-work-contacts in personal contacts, but KPE provides data sync of Contacts, Calendar, and Notifications. KPE also provides a unified Calendar with both personal and work events.
Firewall Management   Industry-exclusive ability to set device firewall rules. KPE can also notify IT when employees attempt to visit blocked domains.
Granular Device Policies   Meet compliance or other deployment requirements with policies not supported on AE for SMS/MMS disclaimers, RCS/SMS/MMS logging, call restrictions, read and write restrictions on SD cards, granular Bluetooth profile restrictions, and even manage DeX deployment settings.
Unlock using Active
Directory Credentials
    No need to make employees remember separate credentials for Windows laptops and mobile devices. Device users can use their existing Active Directory credentials to unlock their devices.
Split Billing (Dual APNs)     Enables enterprises to pay only for the data usage of their approved business apps. Employees are responsible for fees for personal data usage.
Network Analytics     Allows IT to deploy network threat detection solutions without granting such tools complete access to all network traffic.
VPN Granularity: Per-App, Per-Container, or Whole Device KPE provides the most granular VPN controls. You can configure KPE with a VPN tunnel not just for a container or individual apps, but also for the whole device.
Always On VPN KPE has strict controls that block any traffic from bypassing a configured VPN, even in cases where the VPN client crashes or while the device is rebooting.
On-Demand VPN     You can set VPN to only activate when certain target apps are launched or running. This feature does not require VPN client support.
HTTP Proxy over VPN     Enables use of web proxies on tunneled VPN traffic.
VPN Chaining     Allows the use of two VPN tunnels to double-encrypt traffic, enhance anonymity, and prevent a single security bug in a VPN layer from compromising network encryption.
Near-instant VPN connection times   The Knox VPN framework allows a near-instant VPN connection, clocking in at one second. This time is measured from when the VPN handshake and authentication completes, to when the tunnel is established and traffic from any tunneled apps can pass through the VPN. This time threshold applies to all apps—assuming 100 apps enrolled in the VPN profile.